Configure the RepositoryAuthenticationProvider

AuthenticationProvider Configuration

When using the JAAS login and a user can authenticate, by default the user will have or get role everybody. However, it is likely that you want more fine-grained control over which authenticated user is allowed what, see Delivery Tier Authorization Configuration.

This can be done by configuring the org.hippoecm.hst.security.impl.RepositoryAuthenticationProvider. which is the default provided org.hippoecm.hst.security.AuthenticationProvider, see Customize the Delivery Tier's Authentication Provider.

The org.hippoecm.hst.security.impl.RepositoryAuthenticationProvider takes the following configuration settings which can be overridden per HST site webapp in its hst-config.properties, see HST-2 Container Configuration.

### Hippo Login Module Authentication Provider configurations ###
## default properties for the RepositoryAuthenticationProvider ##
# optional required userrole to be allowed to authenticate
security.authentication.required.userrole =
# default excluded standard provided userroles (prefixed with xm.)
security.authentication.excluded.userrole.prefixes = xm.
# , delimiter separating multiple excluded userrole prefixes
security.authentication.excluded.userrole.prefixes.delimiter= ,
# default include only standard provided userroles (prefixed with xm.): effectively by default don't include any!
security.authentication.included.userrole.prefix = xm.
# by default strip the userrole prefix (if any) from the mapped role name
security.authentication.strip.included.userrole.prefix = true
# prefix to be added to produced role names (default no prefix added)
security.authentication.role.prefix =
## common/shared properties for all Authentication Provider beans ##
# default role to be added to anyone authenticated (if not already added): to be specified *without* possible role.prefix
security.authentication.default.role = everybody
## properties only used for the deprecated jcrAuthenticationProvider/HippoAuthenticationProvider ##
# the default domain name to use for querying and resolving role mappings
security.authentication.role.domain = everywhere

The above default configuration effectively will map no userroles (both excluded and include prefix are by default "xm."), but will always add/return default role "everybody".

Therefore, to effectively make use of the role mapping (besides the authentication) feature, a project will need to customize/override a few of these configuration properties, see see Delivery Tier Authorization Configuration.

Example usage

Assume a test project with a (minimal) example setup with the following configuration overrides in its hst-config.properties:

security.authentication.required.userrole = hst.site.user
security.authentication.included.userrole.prefix = site.

This will require everybody logging in through a site to have at least the userrole hst.site.user assigned, and only will filter and map userroles of the authenticated user to role principals which userrole name starts with the site. prefix.

In the test project the following example configuration then can be used to set this up:

definitions:
  config:
    /hippo:configuration/hippo:userroles:
      /hst.site.user:
        jcr:primaryType: hipposys:userrole
      /site.admin:
        jcr:primaryType: hipposys:userrole
      /xm.cms.user:
        hipposys:userroles:
          operation: add
          value: [hst.site.user]
    /hippo:configuration/hippo:users/admin:
      hipposys:userroles:
        operation: add
        value: [site.admin]
    /hippo:configuration/hippo:groups/admin:
      hipposys:userroles:
        operation: add
        value: [site.admin]

The above yaml bootstrap configuration defines:

  1. userrole hst.site.user
  2. userrole site.admin
  3. the userrole xm.cms.user inherits (implies) hst.site.user
  4. the admin user and group have been granted the userrole site.admin

Now, with the above setup, HST role security can be used and enforced, for example for access to a specific sitemap item like:

definitions:
  config:
    /hst:hst/hst:configurations/demosite/hst:sitemap:
      jcr:primaryType: hst:sitemap
      /test:
        jcr:primaryType: hst:sitemapitem
        hst:authenticated: true
        hst:roles: [admin]

The above example sitemap item test will require authentication and only a user with the admin role principal will be allowed to access it : the admin user does get role principal admin because 

  1. It has the userrole site.admin
  2. We configured a userrole prefix (mapping) security.authentication.included.userrole.prefix = site.

Because of the userrole prefix site. , only userroles starting with site. are included, and they are included by stripping of site., thus site.admin userrole translates into role admin​​

Modify the default added role

By default, any authenticated user gets by default the role everybody added. If you want to modify this, say, to role siteusers through specifying in your hst-config.properties 

security.authentication.default.role = siteusers

then make sure to also adjust the Servlet Configuration described at Delivery Tier Authentication to replace everybody with siteusers 

 

 

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?